The Champion Brand | Global is Local | Know Whats Next | Integrated Insights | Return on Reputation

The Cybersecurity Challenge:

A Transatlantic View
resident Barack Obama and the European Union have both put forward proposals designed to deal with the cybersecurity threat, a serious economic and national security challenge. These proposals aim to strengthen the protection of critical information infrastructure as well as personal, trade and other information that individuals and public/private entities hold. An assessment of the similarities and differences of the cyber threat on both sides of the Atlantic was the topic of a recent APCO Forum event featuring former U.S. Congressman Cliff Stearns, a leading authority on cybersecurity; professor Laurens Jan Brinkhorst, the former minister of economic affairs in the Netherlands; and Andrew Serwin, chief executive officer of the Lares Institute and a distinguished lawyer with a background in privacy and consumer protection matters. >>

Congressman Cliff Stearns opened the discussion by noting that the U.S. Congress has not passed any significant cybersecurity legislation since the Federal Information Security Management Act of 2002, a largely bureaucratic measure which ultimately generated more paperwork than it did detecting data vulnerabilities. There are currently 12 cybersecurity bills in the House and four in the Senate, but the major bill sitting in the Senate is the Cyber Intelligence Sharing and Protection Act (CISPA), which has passed the House. The remaining bills either have little chance of becoming law or will do little to address the cyber threat. According to Stearns, it is critical for the U.S. Congress to take action on this important issue and pass CISPA. Offering a European perspective, Laurens Jan Brinkhorst highlighted the January 1, 2013, creation of the European Union Cybercrime Center, hosted by Europol in The Hague. The Cybercrime Center addresses cybercrime and cybersecurity strategy. The Cybercrime Centers top priorities include achieving cyber resilience at the EU level, reducing cybercrime possibilities, developing industrial and technological resources for cybersecurity, contributing to a cyber-defense policy and establishing a coherent, international cyberspace policy for the European Union that will provide context with third-party countries. The pending EU Directive on Network and Information Security and the recently released European Cybersecurity Strategy, which will have an important impact at the EU level, shows that national efforts already developed by European countries do not suffice. The purpose of the directive, which creates a common level of minimum standards, is to establish the framework for improved capabilities at the EU level, but also to address risk management across all markets, potentially including mandatory security audits and a broad breach notification obligation for the private sector. The overall objective of both the proposed directive and the Cybersecurity Strategy is to improve public-private partnerships, increase capacity to protect vital infrastructure and to have effective responses at the EU level. This strategy has already been criticized and its major limitations include: no common definition of what constitutes cybersecurity, no

sector-specific standards, not enough attention paid to the development of skills and education of the general public, and no acknowledgement of regional differences in cyber preparedness. Brinkhorst noted that the United States and European Union have a lot of common ground on cybersecurity cooperation. Both sides are attempting to create economic incentives to get both political and private sectors to invest in security concerns. Andrew Serwin discussed the behavioral, organizational and technical components to cybersecurity. Technology is forward looking and law is inherently retrospective, because citizens do not want governments stepping in to fix a problem that does not exist yet. If governments continue to chase technology, they will always be behind. Instead, policymakers must focus on the core problem, which is viewing cybersecurity as an asymmetric threat. To be vigilant in preventing cybercrime and ensuring cybersecurity, one must know their business better than those attempting to hack and gain more information. As long as governments and enterprises address the problem as being technology based then they will lose. Having the best arsenal does not ensure success as much as having the best strategy. Governments must establish doctrines and policies that eliminate the information advantage that another side can have. This can be accomplished through behavioral changes, organizational change and changes in technology. Certainly the military and intelligence community had to deal with information-sharing issues after 9/11. According to Serwin, the lesson from 9/11 is not that we didnt have all the dots to connect, it is that we couldnt connect the dots. The private sector faces the same challenge and needs behavioral change that will help drive better compliance, and improved cybersecurity and technology standards. Technology is not the only answer, it is one of three answers that will establish a strong cybersecurity policy. Serwin warned that companies have to do everything they can to safeguard their intellectual property at all levels. Once it is gone, a business will soon go bankrupt. CEOs are typically not aware of IP security issues, and while IP security is a risk or legal issue, it is also a core business issue. Company leaders, like CEOs, need to be proactive about IP risk and help engage stronger cybersecurity efforts. Stearns remarked that some of the top Fortune 500 companies are well aware of the cybersecurity problem and have the resources to protect themselves. However, there is not yet a federal standard that raises all companies up to a safety level that better protects their businesses, and in part, the country.

In terms of how this will affect business, Serwin stated that the public needs to accept that technology is not the core problem; it is a governance problem. Executives need to weigh risk and make decisions. They cannot make the right decisions unless they have accurate information in a timely manner. There needs to be better executive decision-making which will lead to increased profit, and reduced costs and cybersecurity risk. Cybersecurity is so vital to any developed country that any cyber attack will lead to economic loss. Indeed, various U.S. agencies list this potential threat as greater than more traditionally understood security threats. If Congress does not act, there needs to be an open dialogue to gather the best practices and create a common standard that raises companies to a minimum security standard. Those recommendations then need to be made available to small businesses that may not have the resources or expertise to protect themselves independently. In sum, the three key takeaways from the call are: The U.S. Congress needs to pass a bill that effectively addresses cybersecurity threats and that the president will sign into law. The presidents recent executive order should serve as a starting point. There is common ground between the United States and the European Union on this issue. Hopefully, it will not take a major cyber attack to fully cooperate and devote additional resources to protecting the public. This is not an issue of technology; rather it is a problem of ensuring proper information asymmetry.

Driving Global Dialogue

For more information, please visit www.apcoworldwide.com/forum
2013 APCO Worldwide Inc. All rights reserved.